Service Operations Insight

Hi Everyone,

I'm trying to parse the alert content in the APM XML policy in order to enrich the alert, but am struggling to retrieve the content of the variable.

Use case:
Alert Summary contains a string like "embeddor |back|WASBACKPVLSK00| ** Failing embeddor checks pdbacka00 |http//WASBACKPVLSK00.santanderuk.corp7307/BDPABB_ENS/Embeddor:is now failing violated threshold".

I'd like to be able to extract the third field separated by pipe, so in this example it would be "WASBACKPVLSK00". Then I need to assign the value of split_server variable to a userAttribute.

Results:
I have tried using both RegExs shown in the Parse section of the code extract below, but neither of them populate userAttribute7 with anything at all (not even just the "09:20" string) - I commented that line out and tried with a simple literal string in the next line and that works fine.

I am now stuck and would appreciate any guidance that can be provided.

APM EventClass code:

 <EventClass name="Embeddor_Alerts" extends="Alert">
  <Parse>
   <Field input="Summary" pattern="([^\|]*)\|([^\|]*)\|([^\|]*)" output="split_emb,split_cell,split_server" />
   <!-- Field input="Summary" pattern="^(.*)\|(.*)\|(.*)\|" output="split_emb,split_cell,split_server" / -->
  </Parse>
  
  <Format>
   <!-- Build the Generic helpfile URL for embeddors -->
   <Field output="userAttribute3" format="http://alerthub.unix.santanderuk.corp/help/wily/Embeddor/embed" input="" />
   <Field output="userAttribute5" format="APM_Alert_ComputerSystem" input="" />
   <Field output="userAttribute6" format="Polled" input="" />
   <Field output="userAttribute9" format="APM (Introscope)" input="" />
   <Field output="userAttribute2" format="{0}" input="UrlParams" />
   <Field output="Message" format="&lt;b&gt;Hostname: &lt;/b&gt;{0} &lt;b&gt;&lt;br/&gt;Problem: &lt;/b&gt;{1} &lt;br/&gt;{2} &lt;br/&gt;&lt;br/&gt;&#60;a href=&#34;{3}&#34;&#62;&#60;b&#62;&#60;u&#62;Click here for Ops instructions&#60;/b&#62;&#60;/u&#62;&#60;/a&#62; &lt;br/&gt;&lt;br/&gt;&#60;a href=&#34;{4}&#34;&#62;&#60;b&#62;&#60;u&#62;APM Console&#60;/b&#62;&#60;/u&#62;&#60;/a&#62;&lt;br/&gt;" input="AlertedMdrElementID,userAttribute9,Summary,userAttribute3,UrlParams" />
   <!-- Field conditional="split_server" output="userAttribute7" format="09:20 {0}" input="split_server" / -->
   <Field output="userAttribute7" format="10:00 {0}" input="test" />
  </Format>
 
  <Write>
   <Field type="publishcache" properties="*"/>
  </Write>
 </EventClass>
 

Many thanks
Chris

Hi Chris,

the reason you are not even getting the string "09:20" is because you are using a "conditional".

That means, only when the attribute "split_server" is set, this line will be executed.

If you want to get all three attributes (emb, cell, server), try this pattern: "^(.*?)\|(.*?)\|(.*?)\|.*$"

If you only want to get the third one (server), try: "^.*?\|.*?\|(.*?)\|.*$"

There is a nice regex tester, which I always use to develop more complex patterns.  It works in exactly the same way as the connector parser: Online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript 

Let me know if it works.

MichaelBoehm

Additional information:

The parser works from right to left.

You have more than three pipe characters in the string, thus you have to let the system know which three you want to use for parsing.

When using ".*?" instead of ".*", the system is using the "shortest possible" string, e.g. in the above pattern you get the first three pipe characters.

You can see the effects very nicely in the above regex tester, when removing any of the "?" from the pattern.

MichaelBoehm

Hi Michael,

Thanks very much for the speedy response. I clearly need to brush up on my RegEx skills! :-)

I was using the "conditional" statement as previously I thought that was the only way I could use the contents of a variable that had been set earlier in the code ...now I know differently.

Thanks again!

Regards
Chris

I actually went with something a little more specific in the end...

^(\w+)\s*\|(\w+)\s*\|([\w-]+)\s*\|(.*)$

i.e. Any number of alpha-numeric characters, separated by whitespaces(s) and a pipe just in case there are trailing spaces to catch the first three fields ...like there is in the first field in my example and the third field may have multiple hyphens as well because they can occur in our server names e.g. WASBACKPVLSK00-T